Table of Contents
Issue
Symptoms
Reason
Solution
Issue
After upgrading the Controller to v4.5.x, you may encounter an issue where the SAML authentication request fails for accounts that use Active Directory Federation Services (ADFS) SAML. As a result, you may experience problems logging in via SAML to your Controller.
Symptoms
You will see the following error in the Controller server.log:
[#|2018-11-29T15:42:57.360-0800|SEVERE|glassfish 4.1|com.singularity.ee.controller.servlet.SAM LAuthenticationServlet|_ThreadID=75;_ThreadName=http-listener-1(13);_TimeMillis=1543534977360; _LevelValue=1000;|Error while processing SAML Authentication Response com.onelogin.saml2.exception.ValidationError: No name id found in Document. at com.onelogin.saml2.authn.SamlResponse.getNameIdData(SamlResponse.java:466) at com.onelogin.saml2.authn.SamlResponse.getNameId(SamlResponse.java:480) at com.onelogin.saml2.Auth.processResponse(Auth.java:527) at com.onelogin.saml2.Auth.processResponse(Auth.java:557) at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponseInternal(SamlAuthenticationResourceImpl.java:206) at com.appdynamics.platform.services.auth.impl.resource.SamlAuthenticationResourceImpl.consumeSAMLAuthenticationResponse(SamlAuthenticationResourceImpl.java:162) at com.appdynamics.controller.mds.auth.MdsSamlAuthResourceImpl.consumeSAMLAuthenticationResponse(MdsSamlAuthResourceImpl.java:59) at com.singularity.ee.controller.servlet.SAMLAuthenticationServlet.doPost(SAMLAuthenticationServlet.java:262) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:344) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) at com.singularity.ee.controller.servlet.RequestOriginMarkingFilter.lambda$doFilter$0(RequestOriginMarkingFilter.java:37) at com.appdynamics.platform.RequestOrigin.runAs(RequestOrigin.java:65)
Reason
As part of our improvements around SAML 2.0 authentication in the v4.5 release, our SAML implementation now requires a NameID assertion for Microsoft ADFS. If your configuration has not been updated to include this prior to upgrading to v4.5, you may encounter the error above.
Solution
To resolve this, add the NameID as the Outgoing Claim Type in your claim rule. You can map NameID with any unique ID (SAM-Account-Name, email, or UPN etc.). Follow the steps below prior to upgrading your Controller.
1. From your ADFS Console , select the “Relying Party Trusts” folder.
2. Select your trust for AppDynamics and right click on it.
3. Choose “Edit Claim Issuance Policy…”
4. On the Issuance Transform Rules screen, select your AppDynamics rule and click the “Edit Rule…” button.
5. In the Edit Rule dialog, either add a new unique identifier (e.g., SAM-Account-Name) or edit the existing unique identifier (e.g., SAM-Account-Name) and map it to the Outgoing Claim Type “Name ID.”
Add a new unique attribute
Edit an existing attribute
6. Save your work.
7. Test to ensure that the authentication succeeds.
... View more